---
description: |-
  The "server" command starts an OpenBao server that responds to API requests. By
  default, OpenBao will start in a "sealed" state. The OpenBao cluster must be
  initialized before use.
---

# server

The `server` command starts an OpenBao server that responds to API requests. By
default, OpenBao will start in a "sealed" state. The OpenBao cluster must be
initialized before use, usually by the `bao operator init` command. Each OpenBao
server must also be unsealed using the `bao operator unseal` command or the
API before the server can respond to requests.

For more information, please see:

- [`operator init` command](/docs/commands/operator/init) for information
  on initializing an OpenBao server.

- [`operator unseal` command](/docs/commands/operator/unseal) for
  information on providing unseal keys.

- [OpenBao configuration](/docs/configuration) for the syntax and
  various configuration options for an OpenBao server.

## Examples

Start a server with a configuration file:

```shell-session
$ bao server -config=/etc/openbao/config.hcl
```

Run in "dev" mode with a custom initial root token:

```shell-session
$ bao server -dev -dev-root-token-id="root"
```

## Usage

The following flags are available in addition to the [standard set of
flags](/docs/commands) included on all commands.

### Command options

- `-config` `(string: "")` - Path to a configuration file or directory of
  configuration files. This flag can be specified multiple times to load
  multiple configurations. If the path is a directory, all files which end in
  .hcl or .json are loaded.

- `-log-level` `(string: "info")` - Log verbosity level. Supported values (in
  order of descending detail) are `trace`, `debug`, `info`, `warn`, and `error`. This can
  also be specified via the `BAO_LOG_LEVEL` environment variable.

- `-log-format` `(string: "standard")` - Log format. Supported values
  are `standard` and `json`. This can also be specified via the
  `BAO_LOG_FORMAT` environment variable.

- `-log-file` - the absolute path where OpenBao should save log
  messages in addition to other, existing outputs like journald / stdout. Paths
  that end with a path separator use the default file name, `openbao.log`. Paths
  that do not end with a file extension use the default `.log` extension. If the
  log file rotates, OpenBao appends the current timestamp to the file name
  at the time of rotation. For example:

  `log-file` | Full log file | Rotated log file
  ---------- | ------------- | ----------------
  `/var/log` | `/var/log/openbao.log` | `/var/log/openbao-{timestamp}.log`
  `/var/log/my-diary` | `/var/log/my-diary.log` | `/var/log/my-diary-{timestamp}.log`
  `/var/log/my-diary.txt` | `/var/log/my-diary.txt` | `/var/log/my-diary-{timestamp}.txt`

- `-log-rotate-bytes` - to specify the number of
  bytes that should be written to a log before it needs to be rotated. Unless specified,
  there is no limit to the number of bytes that can be written to a log file.

- `-log-rotate-duration` - to specify the maximum
  duration a log should be written to before it needs to be rotated. Must be a duration
  value such as 30s. Defaults to 24h.

- `-log-rotate-max-files` - to specify the maximum
  number of older log file archives to keep. Defaults to 0 (no files are ever deleted).
  Set to -1 to discard old log files when a new one is created.

- `VAULT_ALLOW_PENDING_REMOVAL_MOUNTS` `(bool: false)` - (environment variable)
  Allow OpenBao to be started with builtin engines which have the `Pending Removal`
  deprecation state. This is a temporary stopgap in place in order to perform an
  upgrade and disable these engines. Once these engines are marked `Removed` (in
  the next major release of OpenBao), the environment variable will no longer work
  and a downgrade must be performed in order to remove the offending engines. For
  more information, see the [deprecation faq](/docs/deprecation/faq/#q-what-are-the-phases-of-deprecation).

### Dev options

- `-dev` `(bool: false)` - Enable development mode. In this mode, OpenBao runs
  in-memory and starts unsealed. As the name implies, do not run "dev" mode in
  production.

- `-dev-tls` `(bool: false)` - Enable TLS development mode. In this mode, OpenBao runs
  in-memory and starts unsealed with a generated TLS CA, certificate and key.
  As the name implies, do not run "dev" mode in production.

- `-dev-tls-cert-dir` `(string: "")` - Directory where generated TLS files are created if `-dev-tls` is specified. If left unset, files are generated in a temporary directory.

- `-dev-listen-address` `(string: "127.0.0.1:8200")` - Address to bind to in
  "dev" mode. This can also be specified via the `VAULT_DEV_LISTEN_ADDRESS`
  environment variable.

- `-dev-root-token-id` `(string: "")` - Initial root token. This only applies
  when running in "dev" mode. This can also be specified via the
  `VAULT_DEV_ROOT_TOKEN_ID` environment variable.

  _Note:_ The token ID should not start with the `s.` prefix.

- `-dev-no-store-token` `(string: "")` - Do not persist the dev root token to
  the token helper (usually the local filesystem) for use in future requests.
  The token will only be displayed in the command output.

- `-dev-plugin-dir` `(string: "")` - Directory from which plugins are allowed to be loaded. Only applies in "dev" mode, it will automatically register all the plugins in the provided directory.
